Cybersecurity firm SentinelOne has uncovered a wide-ranging cyber-espionage campaign, linking Chinese-backed threat actors to intrusions targeting over 70 organizations across government, media, technology, and manufacturing sectors between July 2024 and March 2025.
The business blamed the attacks on two main threat clusters, PurpleHaze and ShadowPad, which are both connected to the Chinese espionage groups APT15 and UNC5174, according to a thorough analysis released by its SentinelLabs subsidiary. The activity included reconnaissance against SentinelOne’s own internet-facing servers in October 2024 and a January 2025 breach of a third-party logistics provider managing SentinelOne’s hardware.
Researchers Aleksandar Milenkoski and Tom Hegel identified six activity clusters, starting with the June 2024 compromise of a South Asian government entity using ShadowPad malware. Later attacks targeted a European media firm and included the deployment of GoReShell, a reverse shell tool exploiting unpatched Ivanti vulnerabilities (CVE-2024-8963, CVE-2024-8190) and infrastructure traced to Chinese networks.
The campaign marks the first documented abuse of software by The Hacker’s Choice (THC), an ethical hacking collective, by nation-state actors. SentinelOne believes UNC5174, a known Chinese initial access broker, was behind several of the intrusions and likely passed access to other state-aligned groups.
Despite attempts to breach SentinelOne’s internal systems, a thorough investigation found no evidence of compromise. However, the campaign illustrates a growing trend: cybersecurity vendors themselves are becoming high-value targets.
“This level of targeting shows China’s long-term cyber strategy—quiet, persistent, and aimed at disrupting global digital infrastructure,” said cybersecurity expert Heath Renfrow. SentinelOne echoed this sentiment, calling for more transparency, intelligence sharing, and stronger coordinated defenses across the industry.
The company hopes its findings will push peers to break the stigma around public disclosures and encourage joint action to defend against state-sponsored cyber threats.
